[Samba] security = ads parameter not working in samba 4.9.5

Sérgio Basto sergio at serjux.com
Thu Nov 28 20:01:40 UTC 2019 

On Thu, 2019-11-28 at 10:21 +0000, Rowland penny via samba wrote:
> On 27/11/2019 23:57, Sérgio Basto wrote:
> > Thank you for the warning :) [1] , I'm fighting the same problem
> > but I
> > have a different configuration that I never told you before , I'm
> > running my centos 7 packages (very similar to other fellows) [2]
> > where
> > DC1 , DC2 and DC3 are running SambaAD, samba-4.8.8-2.el7.x86_64
> > with
> > BIND9_DLZ (bind-9.11.4-9.P2.el7.x86_64) .
> 
> First things first, remove sssd, it is not supported with Samba.
> 
> Next, stop network manager altering /etc/resolv.conf
> 
> Make /etc/hosts look like this:
> 
> 127.0.0.1   localhost
> ::1         localhost
> 172.27.28.1 ccdc1.corp.local
> 
> Just change the DCs info to match the DC it is on
> 
> /etc/resolv.conf should look like this:
> 
> search corp.local
> nameserver 172.27.2.1
> 
> Again match the IP to the DC.
> 
> Remove these lines from smb.conf:
> 
>              vfs objects = acl_xattr
>              map acl inherit = yes
>              store dos attributes = yes
> 
> You are breaking Samba by having them.

This recommendation , why ? wiki say to add it [1] 
[1]
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Enable_Extended_ACL_Support_in_the_smb.conf_File


I tried these fixed , but noting change getent passwd and getent group
stops to work soon as I change change /etc/samba/smb.conf with
WORKGROUP

> Make /etc/named.conf look like this:
> 
> options {
>      directory       "/var/named";
>      dump-file       "/var/named/data/cache_dump.db";
>      statistics-file "/var/named/data/named_stats.txt";
>      memstatistics-file "/var/named/data/named_mem_stats.txt";
>      notify no;
>      empty-zones-enable no;
>      allow-query { any; };
>      allow-query-cache { any; };
>      forwarders { 8.8.8.8; 8.8.4.4; };
>      allow-transfer { none; };
>      dnssec-validation no;
>      dnssec-enable no;
>      dnssec-lookaside no;
>      listen-on port 53 { 172.27.28.1; 127.0.0.1; };
>      listen-on-v6 port 53 { ::1;};
>      tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> 
> };
> 
> logging {
>      channel default_debug {
>           file "data/named.run";
>           severity dynamic;
>      };
> };
> 
> zone "." IN {
>      type hint;
>      file "named.ca";
> };
> 
> include "/etc/named.rfc1912.zones";
> include "/etc/named.root.key";
> include "/var/lib/samba/bind-dns/named.conf";
> 
> The howto you ultimately linked to tells you to open ports 1024:5000
> in 
> the firewall, thinks is now incorrect, you need to open ports 49152-
> 65535
> 
> > REPO server is Domain_Member [3] with Idmap_config_ad, of DOMAIN
> > corp
> > and I'm testing with SambaAD-4.10.9 or 10 .
> > 
> > What else ?
> > getent passwd and getent group just works with previous
> > configuration
> > and stop when I set the workgroup in idmap when you wrote "it MUST
> > be
> > workgroup not realm"
> > 
> > 
> > Notes on script :
> > Centos 7 dns configuration is on /etc/named.conf not in
> > /etc/bind/named.conf I had to hack a little the script and for dpkg
> > -l,
> > I replaced with rpm -qa
> > 
> > 
> > [1]
> > https://paste.centos.org/view/8d205024
> > https://paste.centos.org/view/bba5f6c4
> > 
> > [2]
> > https://copr.fedorainfracloud.org/coprs/sergiomb/SambaAD/
> > 
> > [3]
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> > 
> Fix your DCs and see how you go on ;-)
> 
> Rowland
> 
> 
> 
-- 
Sérgio M. B.

More information about the samba mailing list